U.S. Senator Mark Warner, Democrat of Virginia and chairman of the Senate Intelligence Committee, holds a hearing on global threats on April 14, 2021 on Capitol Hill in Washington, DC.
Saul Loeb | Swimming pool | Reuters
Senator Mark Warner, D-Va., Is preparing bipartisan bill that would require some companies to report cyber incidents to the government so law enforcement can step in quickly.
Announced a preview of the bill during an Axios cybersecurity event, Warner said he expects it to be rolled out in the next few weeks and believes the broad support can help get it passed quickly. The recent cyberattacks against Colonial Pipeline, SolarWinds and meat supplier JBS have increased the sense of urgency in dealing with threats that appear to be linked to people in rival countries like China and Russia.
The bill would require critical infrastructure companies, state contractors, and government agencies to report cyber incidents to the government, Warner said, to allow law enforcement and private sector partners to intervene as quickly as possible during an attack.
Warner expects the business community to be open to the legislation.
“When we had this debate six or seven years ago, the economy didn’t want additional reporting,” he said. “I think they are now realizing that they are at risk themselves if they do not have to report.”
That threat was revealed in the SolarWinds attack, which became public after cybersecurity firm FireEye voluntarily exposed a hack from an allegedly government-sponsored actor. Shortly thereafter, Reuters reported that hackers had accessed government agency systems via software updates from SolarWinds, saying this was related to the FireEye incident. SolarWinds later announced that 18,000 customers were affected by the hack.
Warner said his law would provide limited immunity for companies in connection with reports that would be kept confidential between the government and private sector partners.
In addition to law, Warner said the US would need to reset international standards by showing that adversaries who commit cyberattacks will pay a price even if the attackers themselves are not government actors.
He also said there needs to be a discussion about how to deal with ransomware or efforts to hack and compromise systems until a ransom is paid. As it stands, companies and other entities that are victims of such hacks often pay ransom to get their systems back online quickly, which Warner says could sometimes mean payments to sanctioned countries. At the very least, perhaps companies should be asked to disclose when they pay such ransom money.
Warner noted that some of the recent attacks could have been worse if the attackers had chosen to shut down the systems completely.
“I asked people to think about whether when the Russians stepped into the SolarWinds attack and invaded 18,000 companies, they chose to shut down all of these systems instead of just extracting information,” Warner said. “That would come close to an act of war for me and would have completely paralyzed our economy. And my fear is that cyber is becoming more and more sophisticated, moving from simply exfiltrating information to potentially extraordinarily destructive actions and we need to improve our game. “
Subscribe to CNBC on YouTube.
WATCH: How the massive SolarWinds hack went down